Your IT experience is pretty extensive. Got any best practices to share to help us "air tight" our brokerage accounts?
Not without trusting some sort of manager. Who is going to remember 30 random chars?
I surely would not be using Chrome or Edge - Both Microsoft and Google already known for privacy issues...
And Firefox is not much better, simply from the POV that EVERY browser must deliver those passwords, and that transmission must remain suspect.
However, all y'all no doubt use your phones for transactions, which are either Google or Apple, so you have to figure that someone is recording what you do no matter what. And that cannot be beat except with eyeball transactions at the counter of a local brokerage... Outside of that, you are hanging out somewhere.
As to critical passwords - I use an open source manager called
KeyPassIt offers foremost an open source - Every line of its code can be examined.
It is not famous other than in tech and open source circles - so any fault there might be in the way of exploit is offset by its relative obscurity (hackers tend to put their efforts toward popular means), so my choice in that is intentional. It does store passwords in an encrypted container, with several means of access design.
Anything in that password can is super critical to me, and are only accessed with one machine, and that machine is normally offline, and hard wired when it is online. It holds critical bank account passwords, critical serverside passwords, both for my site and my local server access. It also holds all my passwords for encrypted containers.
But all of that really means nothing in daily use - Because I must operate electronically. So like everyone else I have to rely on the means available, which are not all that secure. But it DOES offer me a God-Mode solution, regardless of how I am hacked, except for a direct physical attack here at my house, or at one of two more locations where ancillary access is maintained wholly by sneaker-net, one of which is highly portable, but seldom used beyond the need to keep the device(s) registered as legit access devices to various accounts with time restrictions...
In every critical place, there are TWO users, one that I use in the typical fashion, and another that is only accessed by that highly guarded secondary system - Which is actually the primary system. Every administrative account is made there, with the more promiscuous user not having access to administration of the accounts. So I can operate in the user level account normally, but I NEVER access account administration anywhere except from that singular system.
I have been hacked, and I will be hacked again. So far, those GodMode accounts have been the solution. But that is because of what I am, and what I attract, so I don't know if such steps are practical for the average Joe.
Beyond something like that, you must have some reliance on the systems in common use... So buy machines that offer encrypted operation with fingerprint access, especially so wrt portable devices, and primary access devices. Limit access to those devices strictly. Change passwords often, and use random computer generated passwords, and 2FA. That is really all you get. Beyond that, you must trust browsers, brokerages, and authenticators. Not much for it.
OR stay away from electronics, and pick a broker/bank with walk-up eyeball service, and only use it that way, no matter how convenient the app might be. It is all about convenience and that convenience is what always becomes the exploit.